Search This Blog
Powered by Blogger.

Blog Archive

Labels

About Me

Load More
Trendy Right Now

Popular Posts

Showing posts with label Remote Access Tool. Show all posts
U.S. Social Security Administration
Cyber Security Cyberattack Remote Access Tool Sophisticated Phishing Attack U.S. Social Security Administration

Phishing Campaign Impersonating SSA Deploys Remote Access Tool

Hackers have launched a sophisticated phishing campaign impersonating the United States Social Security Administration (SSA) to deliver the ConnectWise Remote Access Tool (RAT), according to a report by Cofense Intelligence. This operation, active since September 2024 and intensifying by November, employs advanced evasion techniques to compromise devices and extract sensitive information.

The phishing emails mimic official SSA communications, promising updated benefits statements to lure victims. Embedded links, disguised as legitimate SSA web pages, lead to the installation of the ConnectWise RAT, granting attackers control over compromised systems. The campaign incorporates enhanced email spoofing and credential phishing strategies, leveraging SSA logos and branding to heighten credibility.

One unique technique involves one-time use payloads. Victims who access the malicious link are directed to the RAT installer, while subsequent visits redirect to legitimate SSA pages. This method utilizes browser cookies to bypass automated defenses and security research tools.

Exploitation and Goals

After installing the malware, attackers exploit victims further by redirecting them to phishing pages designed to capture sensitive personal and financial data, including:

  • Social Security Numbers
  • Credit card details
  • Mother’s maiden name
  • Phone carrier PINs

The focus on phone carrier PINs indicates an intent to facilitate account takeovers and unauthorized transfers. Early versions of the campaign used ConnectWise’s infrastructure for command-and-control operations, but recent iterations rely on dynamic DNS services and attacker-owned domains to evade detection.

Evolving Threats

Follow-up phishing emails prompt victims to confirm actions via buttons labelled “I Have Opened the File,” directing them to further credential-harvesting sites. These tactics expand the scope of the breach and demonstrate the attackers’ ability to adapt and refine their methods.

The Cofense report emphasizes the ongoing risk posed by such campaigns, urging organizations and individuals to adopt robust cybersecurity practices to counter these threats effectively.

Read more »
Threat Intelligence
Cyber Attacks Endpoint Device Remote Access Tool Threat Intelligence

Attackers Employ TeamViewer to Gain Initial Access to Networks

 

Organisations have long utilised TeamViewer software to provide remote aid, collaboration, and access to endpoint devices. Like other authorised remote access technologies, it is often employed by attackers to gain initial access to target systems.

The most recent example is the pair of attempted ransomware deployment incidents that Huntress researchers recently came across. 

Unsuccessful ransomware deployment

The attacks that Huntress detected targeted two separate endpoint devices belonging to Huntress customers. Both incidents had failed attempts to install what seemed to be ransomware based on a leaked builder for LockBit 3.0 ransomware. 

Further investigation revealed that TeamViewer was the initial point of access for the attackers to both endpoints. The logs showed that the same threat actor was responsible for both occurrences, as the attacks originated from an endpoint with the same hostname.

After initially gaining access via TeamViewer, the threat actor used one of the computers for roughly seven minutes, and on the other, the attacker's session lasted for over ten minutes. 

How the attacker may have gained control of the TeamViewer instances in both incidents was not mentioned in Huntress' report. However, Huntress's senior threat intelligence analyst, Harlan Carvey, notes that a few of the TeamViewer logins seem to come from outdated systems. 

"The logs provide no indication of logins for several months or weeks before the threat actor's access," Carvery states. "In other instances, there are several legitimate logins, consistent with prior logins — username, workstation name, etc. — shortly before the threat actor's login.” 

Carvey believes that the threat actor may have been able to purchase access from an initial access broker (IAB) and that the credentials and connection information might have been stolen from other endpoints using a keyboard logger, infostealers, or other techniques. 

There have been other past instances when attackers employed TeamViewer in a similar manner. One was a campaign launched last May by a threat actor who wanted to install the XMRig crypto mining software on systems after gaining initial access through the tool. 

Another instance featured a data exfiltration campaign, which Huntress investigated in December. According to the incident logs, the threat actor established an initial foothold in the victim environment using TeamViewer. Much earlier, in 2020, Kaspersky reported on attacks against industrial control system setups that used remote access tools like RMS and TeamViewer for first access.
Read more »
VPN
Automated accounts Cyber Security Firewalls Industrial Facilities Remote Access Tool Unauthorized access VPN

Balancing Industrial Secure Remote Access: Essentiality and Risk Concerns

As industries continue to embrace digitalization and remote operations, industrial secure remote access has become an essential component of modern industrial automation systems. The ability to connect to and manage industrial assets remotely brings numerous benefits, such as increased operational efficiency and reduced downtime. However, alongside these advantages, there are growing concerns among firms regarding the associated risks and potential vulnerabilities.

A recent survey conducted by industry analysts sheds light on the concerns and perspectives of industrial organizations regarding secure remote access. According to the survey, 76% of respondents considered secure remote access to be critical for their operations. The ability to monitor, troubleshoot, and maintain industrial systems remotely enhances productivity and enables rapid response to operational issues.

Despite recognizing the importance of secure remote access, many firms express apprehension about the potential risks it poses. The survey reveals that 64% of respondents are concerned about unauthorized access and potential security breaches. Industries dealing with critical infrastructure, such as energy, manufacturing, and transportation, are particularly cautious due to the potential impact of a cyber attack on public safety, operational continuity, and financial stability.

To address these concerns, industrial organizations need to adopt comprehensive security measures and best practices for secure remote access. Firstly, implementing strong authentication protocols, such as multifactor authentication, can significantly reduce the risk of unauthorized access. Secondly, establishing secure virtual private network (VPN) connections and encrypted communication channels ensures data confidentiality and integrity during remote sessions.

Additionally, organizations must prioritize network segmentation to isolate critical industrial assets from the broader network. By implementing a defense-in-depth strategy, organizations can mitigate the impact of a security breach and prevent lateral movement within the network. Regular patching and updating of remote access software, firewalls, and security systems are also crucial to address emerging vulnerabilities and protecting against evolving threats.

Furthermore, employee education and awareness play a vital role in maintaining a secure remote access environment. Training programs can help employees recognize and report suspicious activities, understand the importance of strong passwords, and practice good cybersecurity hygiene. Organizations should also enforce strict access controls, granting remote access privileges only to authorized personnel with a legitimate need.

Industrial operations in the present era unquestionably require secure remote access. But businesses' worries about such risks and vulnerabilities must not be discounted. Organizations can strike a balance between the advantages and risks of remote access, ensuring the safety and integrity of their industrial systems in a world that is becoming more interconnected, by implementing strong security measures, adopting best practices, and fostering a culture of cybersecurity awareness.
Read more »
RMM Software
Artificial Intelligence Cobalt Strike Cyber Security Digital Footprint Malicious actor Remote Access Tool RMM Software

Hackers Exploit Action1 RMM in Ransomware Attacks

 

Remote Monitoring and Management (RMM) tools are an essential part of IT management, allowing businesses to remotely monitor and manage their IT systems. However, recent reports indicate that hackers increasingly target RMM tools to launch ransomware attacks against businesses.

One RMM tool specifically targeted is Action1, a cloud-based endpoint management platform. Hackers have been exploiting vulnerabilities in the platform to gain unauthorized access to systems and launch ransomware attacks.

According to a tweet by Kostas Tsartsaris, an information security researcher, attackers have been abusing Action1 RMM to deploy Cobalt Strike and other malicious payloads. Cobalt Strike is a powerful penetration testing tool that has been repurposed by hackers for use in ransomware attacks.

Businesses can turn to Digital Forensics and Incident Response (DFIR) services to prevent and respond to such attacks. These services allow businesses to quickly identify and respond to cybersecurity incidents, including ransomware attacks.

In response to the rising threat of ransomware, Action1 has unveiled an AI-based threat-hunting solution. This solution uses machine learning algorithms to detect and respond to potential security threats in real-time.

While RMM tools are essential for IT management, businesses must be aware of the potential security risks associated with them. By implementing robust security measures, such as DFIR services and AI-based threat hunting solutions, businesses can help to protect their systems and data from ransomware attacks and other cyber security threats.

It is important for businesses to remain vigilant and proactive in their approach to cyber security. By staying up-to-date with the latest security trends and implementing best practices, businesses can help to mitigate the risks of cyber-attacks and protect their valuable data.
Read more »
Symantec
APT41 Atharvan RAT Blackfly Clasiopa Cyber Security Cyberespionage Cyberespionage Operation Lilith RAT Remote Access Tool Symantec

APT41: Cyberespionage Group Targets Asian Materials Industry


The Chinese-sponsored APT41 cyberespionage group, also known as Blackfly, Barium Bronze Atlas, Double Dragon, Wicked Panda, and Wicked Spider has emerged as one of the most active threat groups since at least 2007. 

The cyber-threat group has recently been targeting two subsidiaries of a major Asian conglomerate, which apparently specializes in materials and composites. The attack follows right after another distinct campaign against the Asian material sector. 

The APT attack was seen utilizing the Winnkit backdoor, Mimikatz, and several tools for credential dumping, screen capture, process hollowing, SQL querying, memory dumping (ForkPlayground), and proxy configuration. 

In one of the instances, Symantec discovered a material research organization in Asia that was being targeted by a previously unidentified threat group named ‘Clasiopa,’ which does not seem to be linked to the APTs. 

It is believed that Clasiopa acquired access to the targeted organization by brute forcing public facing servers and using a variety of post-exploitation tools like Atharvan remote access trojan (RAT), which is a modified version of the Lilith RAT, the Thumbsender hacking tool, and a custom proxy tool. The threat actor, according to Symantec, utilized the backdoors to compile lists of files and exfiltrate them, deleted logs, set a scheduled task to list file names, and verified the IP addresses of the compromised machines in an effort to disable endpoint protections. 

Moreover, it appears that Clasiopa used authorised software from Agile and Domino throughout the attack, but it is still unclear whether the attackers actually deployed the tools or simply abused the existing installations. Apparently Atharvan backdoor is able to download arbitrary files from the server, execute files, and configure communications through the C&C server, all based on the commands received from its operators. 

Adding to this, the Atharvan RAT can terminate or restart programs, send remote commands and PowerShell scripts, as well as terminate and uninstall itself. Further analysis on Atharvan revealed a Hindi mutex and a password, suggesting that Clasiopa could be based in India, although Symantec says that these could be some of the false flags planted by the threat group to muddle with the investigation.  

Read more »
User Privacy
Data Breach European Cyber Security Remote Access Tool Sextortion Scam User Privacy

Australian Hacker Charged for Spyware Creation Used by Pedophiles

An Australian citizen, Wayne Jacob John Keen, age 24, has been accused of allegedly participating in the development and distribution of malware used by pedophiles and domestic violence offenders.

A type of malware, Remote Access Trojan gives hackers complete remote control over an infected device, enabling them to run programs, log keystrokes, exploit files and data, install other programs, take screenshots, and even record video from the webcam. 

The offender is alleged to have developed the remote access trojan (RAT) when he was 15 years old and served as the tool's administrator from 2013 until the government shut it down in 2019.

Malware Execution

In 2019, authorities were able to identify the creator of an IM RAT who goes by the online handle 'Shockwave' as per a cybersecurity firm. Palo Alto Networks reported that it had seen more than 115,000 IM RAT attacks targeted solely at its clients. More than 65,000 samples of the infection were gathered by the security firm.

Advertised as a reliable tool for remote administration, IM RAT has a lifetime license price range of $25 to $100. Its touted features were remote control of Windows servers, remote support, staff monitoring, and remote connections to personal or business computers.

According to the AFP, "The hacker illegally sold the malware to more than 14,500 people in 128 different countries.PayPal users from Australia who purchased IM RAT are identified as respondents on domestic violence orders in a statistically large portion (14.2%) of cases. Additionally, one of these buyers is listed on the Child Sex Offender Register ." 

The federal authorities added that the developer has earned between $300,000 and $400,000 since the business began operating in 2013. These funds mainly were used to pay for food deliveries and buy 'other consumable and disposable products.'

A 42-year-old woman who lives in the same home as the accused is identified by The Guardian as the perpetrator's mother and has also been charged with 'dealing with the proceeds of crime.'

In coordination with more than a dozen European law enforcement agencies, 85 search warrants were issued globally as part of the operation, which resulted in the seizure of 434 devices and the detention of 13 people for utilizing the malware for evil.


Read more »
WordPress
Avast CMS Joomla vulnerability malware Microsoft Phishing Attacks PHP RAT Remote Access Tool Trojan Attacks WordPress

 Hazardous Redirect Web Server Evokes Malicious Campaigns On Over 16,500 Sites

 

Parrot is a novel TDS system for online traffic redirection that runs on a few servers hosting over 16,500 sites from government agencies, universities, adult platforms, and personal blogs. The service was apparently also utilized in the context of various cyber-attacks aiming at diverting victims to phishing or sites which result in malware being installed on the systems. Reportedly, all of this is dependent on individual user characteristics such as location, language, operating system, and browser.

TDS services are purchased by threat actors undertaking malicious campaigns to filter incoming traffic and route it to a final destination which serves harmful material. Advertisers and marketers utilize TDS legitimately. Most TDS services are used regularly by professionals in the marketing industry, which is why there are credible reports demonstrating how similar campaigns were executed in the recent past. 

Security analysts working with Avast have revealed that the Parrot has been identified as they recently made assertions about how the campaign was used for FakeUpdate, which delivered update warnings regarding remote access trojans, sometimes known as RATs, using fake browsers. 

Avast threat experts found Parrot TDS, which is presently being utilized for a campaign called FakeUpdate, which distributes remote access trojans (RATs) via phony browser update alerts. The effort appears to have begun in February 2022, however, there have been traces of Parrot activity dating back to October 2021.

"One of the primary differences between Parrot TDS and other TDS is its broad nature and a large number of possible victims," says Avast in the research. "Apart from servers hosting poorly secured CMS sites, such as WordPress sites, the hijacked websites we discovered appear to have nothing in common."

Avast services prevented more than 600,000 of its users from visiting these compromised sites in March 2022 alone, demonstrating the Parrot redirection gateway's huge reach. The majority of the people who were redirected were from Brazil, India, the United States, Singapore, and Indonesia. 

They have been known to accomplish this by redirecting the victim to special URLs with extensive network profiles and meticulously built software. While the TDS may be primarily focused on the RAT initiative, security experts believe some of the impacted servers also serve as hosts for various phishing sites.  

Those landing sites seem just like a genuine Microsoft login page, prompting visitors to input there login credentials. The best strategy to deal with malicious redirections for web users is to keep an up-to-date internet security solution running at all times. Avast advises administrators of possibly compromised web servers to take the following steps: 

  •  Use an antivirus to scan all files on the webserver. 
  •  Replace all original JavaScript and PHP files on the webserver. 
  •  Use the most recent CMS and plugin versions. 
  •  Look for cron jobs or other automatically executing processes on the webserver. 
  •  Always use unique and strong credentials for all services and accounts, and utilize two-factor authentication whenever possible. 
  • Use some of the security plugins for WordPress and Joomla which are available.
Read more »
Remote Access Tool
Cyber Crime Email Frauds HTML keylogger Malvertising Phishing Attacks Remote Access Tool

Threat Advert is a New Service Strategy Invented by AsyncRAT

 

AsyncRAT is a Remote Access Tool (RAT) that uses a secure encrypted connection to monitor and control other machines remotely. It is an open platform distributed processing tool but it has the potential to be used intentionally because it includes features like keylogging, remote desktop command, and other functionalities that could destroy the victim's PC. Furthermore, AsyncRAT can be distributed using a variety of methods, including spear-phishing, malvertising, exploit kits, and other means. 

Morphisec has detected a new, advanced campaign distribution that has been successfully eluding the radar of several security providers, thanks to the breach prevention using Moving Target Defense technology.

Potential hackers are spreading AsyncRAT to targeted machines with a simple email phishing method with an Html attachment. AsyncRAT is meant to remotely monitor and manipulate attacked systems through a protected, encrypted connection. This campaign ran for 4 to 5 months, with the lowest detection rates according to VirusTotal. 

Victims received the email notification with an HTML attachment in the manner of a receipt: Receipt-digits>.html in many cases. When the victim opens the receipt, users are sent to a webpage where a user must store a downloaded ISO file. The user believes it is a routine file download that will pass via all port and network security scanning channels. Surprisingly, this is not true. 

The ISO download, in fact, is created within the user's browser by the JavaScript code hidden within the HTML receipt file, rather than being downloaded from a remote server. 

To reduce the possibility of infection by AsyncRAT, users must follow the following steps:
  • Updating antivirus fingerprints and engines is a must. 
  • Enable automatic updates to ensure that the operating system is up to date with the most recent security fixes. 
  • Email addresses should not be made public on the internet. 
  • Don't click email attachments with strange-looking extensions. When opening any email attachment, especially the one from unknown senders, proceed with caution.
  • Exercise caution while opening emails with generic subject lines. 
Read more »
Subscribe to: Posts (Atom)